Cybersecurity company Kaspersky has devised a lightweight method for detecting indicators of infection in response to the escalating threat of iOS spyware, including sophisticated strains like Pegasus, Reign, and Predator. The innovative approach involves analyzing Shutdown.log, an overlooked forensic artifact within mobile iOS devices.
This studio photographic illustration shows a smartphone with the website of Israel's NSO Group which features 'Pegasus' spyware, on display in Paris on July 21, 2021.
Identifying Traces of Pegasus on your iPhone
Kaspersky's experts made a noteworthy discovery, identifying traces of Pegasus infections in the Shutdown.log, stored in the sysdiagnose archive of iOS devices. This archive captures information from each reboot session, allowing anomalies associated with Pegasus malware to surface in the log upon device reboot.
Unusual instances, such as "sticky" processes hindering reboots, particularly those associated with Pegasus, were among the identified indicators. Cybersecurity community observations also contributed to the detection of infection traces, according to Kaspersky.
"The sysdiag dump analysis proves to be minimally intrusive and resource-light, relying on system-based artifacts to identify potential iPhone infections," Maher Yamout, Lead Security Researcher at Kaspersky's Global Research and Analysis Team (GReAT), said in a statement.
By confirming the infection through the Mobile Verification Toolkit's processing of other iOS artifacts, the Shutdown.log becomes an integral component of a comprehensive approach to investigating iOS malware infections.
In their analysis of Pegasus infections within Shutdown.log, Kaspersky experts detected a common infection path, particularly "/private/var/db/," which mirrored paths observed in infections caused by other iOS malware such as Reign and Predator.
The researchers believe this log file holds the potential for detecting infections linked to these malware families.
To simplify the identification of spyware infections, specialists at Kaspersky have created a self-assessment tool for users. Utilizing Python3 scripts, this tool allows for the extraction, analysis, and parsing of the Shutdown.log artifact. It has also been openly shared on GitHub, ensuring accessibility for users on macOS, Windows, and Linux platforms.
How to Protect Yourself from Advanced iOS Spyware
In addition to the innovative detection method, Kaspersky offers practical tips for users to enhance their defenses against advanced iOS spyware:
1. Reboot Daily: Regular daily reboots can disrupt the persistence of zero-click 0-day exploits, making it necessary for attackers to repeatedly reinfect, which could increase the chances of detection over time.
2. Lockdown Mode: Apple's newly added lockdown mode has demonstrated success in blocking iOS malware infections, according to the researchers.
3. Disable iMessage and Facetime: Disabling these default features reduces the likelihood of falling victim to zero-click chains, minimizing potential exploitation vectors.
4. Keep Device Updated: Promptly install the latest iOS patches to stay ahead of exploit kits targeting known vulnerabilities.
5. Exercise Caution with Links: The researchers advise users against clicking on links received in messages to minimize the risk of falling victim to 1-click exploits delivered through various channels.
6. Check Backups and Sysdiags Regularly: Regularly processing encrypted backups and sysdiagnose archives using tools like MVT and Kaspersky's aids in the timely detection of iOS malware.
Related Article: Apple's Lockdown Mode is Designed to Fight Advanced Hacking and Targeted Spyware
